In Illinois, a unique effort to protect the grid from hackers

Photo By

State regulators in Illinois are staking out a unique foothold in an area of growing concern among public utilities: the security of information and digital assets in the smart-grid era.

Late last month, the Illinois Commerce Commission (ICC) announced the establishment of an Office of Cybersecurity and Risk Management to prioritize and support “the ongoing efforts of regulated Illinois utilities to protect critical infrastructure from cybersecurity risk and unauthorized access to system and electronic data.”

The move comes amid a rising local and global awareness of hacking and other forms of cyber-intrusions. Institutions, private businesses and government agencies across a range of sectors have found themselves targets of high-profile digital breaches.

Just within the past two years, hackers exploited human and virtual weaknesses to shut off power to hundreds of thousands in Ukraine, steal personal information on millions of people from the U.S. Office of Personnel Management, and released emails from the campaign staff of a leading presidential candidate. Hacking has gone from a seemingly distant threat to an everyday reality and concern for the public and private sector alike.

Meanwhile, the U.S. power grid has been undergoing a transformation from a largely disconnected system to one that depends heavily on sensors, data and telecommunications to keep the lights on. This intersection of energy and information technology exposes the industry to the same kind of cyberattacks that have disrupted businesses in retail, technology, entertainment and other sectors.

For the ICC, which regulates natural gas, telecommunications, water and sewer public utility companies in addition to the power sector, having an office focused on cybersecurity is a matter of being prepared in the event of Illinois’s critical infrastructure coming under attack from nefarious corners of the internet.

“If something does happen in this space, and we get the call from [the Illinois Emergency Management Agency] or our federal partners, we’ll know how to react,” says Cholly Smith, ICC’s executive director. “Also, proactively … we’re going to be in a very good position as a regulatory agency to answer questions about these technologies and how they are interacting with consumers’ everyday lives.”

‘We want to be a collaborator’

There are several federal agencies and regulatory bodies that are involved in the cybersecurity of critical infrastructure, but, to date, few state regulators have taken a significant step toward engaging in cybersecurity. Iowa, Washington, Texas and Pennsylvania have assembled cybersecurity teams, according to NARUC, but the ICC says they are unaware of any other state that has taken the formal step of establishing an office dedicated to the growing field.

ICC sees its role in the area less as a traditional regulator and more as a facilitator of dialogue and best practices among utilities that might not otherwise reach out to one another directly on the subject of information security.

Dominic Saebeler, director of the ICC’s new office, says he hopes the office can help utilities digest the massive amounts of studies, data and new information available daily in the cybersecurity realm.

“We want to be a collaborator,” Saebeler says. “We want to be viewed as someone who can add value as opposed to [being] just another person they have to report to and have look over their shoulders and tell them they’re not doing something right, or are doing something right.”

Saebeler, an Illinois attorney, has served previously as the state’s Chief Information Officer and General Counsel. Before coming to ICC, he was the chief of information technology policy at the Illinois Department of Innovation and Technology (DoIT), a state agency focused on technology that was established last January by Governor Bruce Rauner. For now, ICC’s Department of Cybersecurity and Risk Management consists of only Saebeler, but Smith says he hopes they can add more staff in the future.

‘Only as secure as the people who run it’

There have been no reported, major instances of a past cyberattack on Illinois utilities, though Saebeler says that utilities – as is the case in many sectors – regularly report of unauthorized users attempting to access secure systems. In 2011, a leaked intelligence memo claimed that Russian hackers destroyed a water pump at the Curran Gardner Public Water District near Springfield, Ill. This turned out to be false.

As part of establishing the new ICC office, Smith says the commission itself will also be boosting its own internal cybersecurity efforts, including partnering with DoIT to implement mandatory cybersecurity training for all staff.

Indeed, the human element is often the most vexing part of securing digital assets, analysts say.

“A system is only as secure as the people who run and operate it,” reads the NARUC report. “In case after case, attackers have successfully bypassed even the best security by taking advantage of regular users’ naiveté or lack of awareness to give an attacker access.” The report highlights the “phishing” method, in which a user downloads an attachment containing malware from an email message.

“We’re pretty confident [utilities] are doing everything that they can do, but we respect that there’s a threat out there,” Saebeler says. “We don’t respect the actors, but we respect their capability.”

Independent coverage of Illinois smart grid issues is made possible in part with a grant from the Illinois Science and Energy Innovation Fund.